On Wednesday 2012-01-11 14:42, Lennart Poettering wrote: >On Wed, 11.01.12 08:21, Jan Engelhardt (jeng...@medozas.de) wrote: > >> >> >> On Tuesday 2012-01-10 23:24, Lennart Poettering wrote: >> > >> >http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons >> > >> >If you are involved with early-boot stuff, like building initrds, or are >> >doing storage stuff or are otherwise interested please have a look. >> >-------------- >> >Processes (run by the root user) whose first character of the zeroth command >> >line argument is '@' are excluded from the killing spree, much the same way >> >as >> >kernel threads are excluded too. [...] >> >Note that this functionality is only to be used by programs running from the >> >initramfs, and not for programs running from the root file system itself. >> >> Forcing the use of @ introduces a policy, which should preferably not be >> done. Since programs started from the initrd obviously should be having >> a /proc/*/{cwd,exe} symlinks pointing to the initramfs vfsmount. > >They are in a different namespace, so that wouldn't work.
Namespace as in clone(2)'s CLONE_NEWNS? >> If the initramfs vfsmount (rootfs) is mounted and/or moved (pivot_root) >> somewhere into the main root, one can determine the special processes >> simply by looking for that directory prefix on the procfs links. > >It's not about figuring out which processes are from the initrd, it's >about figuring out which processes want to be excluded from the killing >spree. i.e. there are a number of processes from the initrd which stick >around during normal operation which are still to be killed in the >killing spree, most prominently plymouth. Still, if you can detect the rootfs, whitelisting becomes an option. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
